Microsoft Windows [Version 6.0.6001] (C) Copyright 2006 Microsoft Corp. c:\windows>netsh advfirewall consec add rule ?
Usage: add rule name=
endpoint1=any|localsubnet|dns|dhcp|wins|defaultgateway|||||
endpoint2=any|localsubnet|dns|dhcp|wins|defaultgateway|||||
action=requireinrequestout|requestinrequestout|
requireinrequireout|noauthentication
[description=][mode=transport|tunnel (default=transport)][enable=yes|no (default=yes)][profile=public|private|domain|any[,...] (default=any)][type=dynamic|static (default=static)][localtunnelendpoint=|][remotetunnelendpoint=|][port1=0-65535|any (default=any)][port2=0-65535|any (default=any)][protocol=0-255|tcp|udp|icmpv4|icmpv6|any (default=any)][interfacetype=wiresless|lan|ras|any (default=any)][auth1=computerkerb|computercert|computerpsk|
computerntlm|anonymous[,...]][auth1psk=][auth1ca="[certmapping:yes|no][excludecaname:yes|no]| ..."][auth1healthcert=yes|no (default=no)][auth2=computercert|userkerb|usercert|userntlm|anonymous[,...]][auth2ca="[certmapping:yes|no]| ..."][auth2healthcert=yes|no (default=no)][qmpfs=dhgroup1|dhgroup2|dhgroup14|ecdhp256|ecdhp384|mainmode|
none (default=none)][qmsecmethods=
ah:+esp:-+[valuemin]+[valuekb]|default]
Remarks:
- Rule name should be unique and cannot be "all".
- When mode=tunnel, both tunnel endpoints must be specified and must be
the same IP version. Also, action must be requireinrequireout.
- At least one authentication must be specified.
- Auth1 and auth2 can be comma-separated lists of options.
- Computerpsk and computerntlm methods cannot be specified together
for auth1.
- Computercert cannot be specified with user credentials for auth2.
- Qmsecmethods can be a list of proposals separated by a ",".
- For qmsecmethods, integrity=md5|sha1 and
encryption=3des|des|aes128|aes192|aes256
- Qmpfs=mainmode uses the main mode key exchange setting for PFS.
- The use of DES, MD5 and DHGroup1 is not recommended. These
cryptographic algorithms are provided for backward compatibility
only.
- The default value for certmapping and excludecaname is 'no'.
- The " characters within CA name must be replaced with \'
Examples:
Add a rule for domain isolation using defaults:
netsh advfirewall consec add rule name="isolation"
endpoint1=any endpoint2=any action=requireinrequestout
Add a rule with custom quick mode proposals:
netsh advfirewall consec add rule name="custom"
endpoint1=any endpoint2=any
qmsecmethods=ah:md5+esp:md5-3des+60min+20480kb,ah:sha1
action=requireinrequestout
Create a tunnel mode rule from
subnet A (192.168.0.0, external ip=1.1.1.1) to
subnet B (192.157.0.0, external ip=2.2.2.2):
netsh advfirewall consec add rule name="my tunnel" mode=tunnel
endpoint1=192.168.0.0/16 endpoint2=192.157.0.0/16
remotetunnelendpoint=2.2.2.2
localtunnelendpoint=1.1.1.1 action=requireinrequireout
Add a rule with CA name:
netsh advfirewall consec add rule name="cert rule"
endpoint1=any endpoint2=any action=requireinrequestout
auth1=computercert auth1ca="C=US, O=MSFT, CN=\'Microsoft North,
South, East, and West Root Authority\'"
